MS08-067 Win2K3 German lang. support

[jerome.athias at free.fr (Jerome Athias)]

Heya,

this is an interesting thread.
For non-US pentesters, and also for the static addresses problem of the
msf exploit modules.
The thing is: when an universal address couldn't be found for an
exploit: we'll have to find one for our locale, and we should have to
UPDATE this one in the future to keep reliability
Here using the opcodes database is interesting.
Having a tag in the exploit to know what type of opcode is needed is
useful (without to have to parse the module code). So then, you'll be
able, for example, to define a locale when using autopwn, and using the
opcodes db to retrieve automaticaly an address matching the
fingerprinting results.
Even if a manual test would be highly recommended.

For that i'm playing with an opcodes database built on msfpescans of KBs
of all the possible locales.
http://www.ja-psi.com/securite-informatique/microsoft-opcodes-database.php
For now, i've downloaded the following (7 881) KBs:
http://www.ja-psi.com/securite-informatique/KB_list_ok.txt

Hope to be able to finish and release this stuff in a near future :p

My 2cts
/JA

christopher.riley at r-it.at a ?crit :
> I've finally had the time to look at the current ms08_067_netapi.rb
> exploit with a mind to finding the return-to-ESI addresses for the
> German language edition of Win2K3 (sp0-2).
>
> SP0 ret => 0x71a034ce
> SP1 ret => 0x71a03ece
> SP2 ret => 0x71a03a05
>
> Hopefully this will stop people saying the exploit is only valid on
> Engllish systems and there is no need to patch other language systems.
> Hard to believe, but I've heard this arguement recently.
>
> These addresses are all based on the existing JMP ESI in ws2help.dll
> used by the existing Win2K3 English exploit (NO NX)
>
> It would be great if anybody on the list using German Win2K3 could
> recheck my results. Its always good to have a second opinion. Also I'd
> like to suggest the non-english speaking users on the list to do this
> for your localized version of Windows server as well. Metasploit
> supports a lot of WinXP languages but not so many on the server side.
>
> For those not aware of how to do this, it's a simple case of using the
> msfpescan -f <dll to examine> -j <desired JMP> then try out the
> various results to find a viable option. The exploits have a lot of
> information on what is required, so reading the code is enough to
> figure most of it out. when testing NO NX exploits remember to change
> the /NoExecute= in boot.ini to AlwaysOff. I lost some time to this
> myself ;)
>
> Now to my question. The above results are all well and good (how can I
> go about getting them into the SVN version ?), however the language
> pack of the Win2K3 system isn't detected automatically, leaving a
> manual target setting as the only option. Where can I find the
> language pack detection and what can I do to help Metasploit better
> detect ? Is there a signature matching process (as with NMAP) or is it
> (as I fear) much more complex ?
>
> Also what can I do to recreate the NX bypass for the German version.
> Its not going to be as simple as the NO NX stuff I'm sure.
>
> As always, I'm just learning this stuff, so feel free to point out my
> obvious mistakes.
>
> Chris John Riley
> ----------------------------------------
> Raiffeisen Informatik GmbH, Firmenbuchnr. 88239p, Handelsgericht Wien,
> DVR 0486809, UID ATU 16351908
>
> Der Austausch von Nachrichten mit oben angefuehrtem Absender via
> E-Mail dient ausschliesslich Informationszwecken. Rechtsgeschaeftliche
> Erklaerungen duerfen ueber dieses Medium nicht ausgetauscht werden.
> Correspondence with above mentioned sender via e-mail is only for
> information purposes. This medium may not be used for exchange of
> legally-binding communications.
> ----------------------------------------
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework
>